Forwarded from APT
🔐 FreeIPA Rosting (CVE-2024-3183)
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone🚶♂️
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥17
😈 [ Kleiton Kurti @kleiton0x7e ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
A year ago I published a blog post on bypassing EDR using CS profiles. I’ve updated it to include an additional way of preventing msvcrt.dll from being flagged by Defender: by making the payload CRT library-independent.
🔗 https://kleiton0x00.github.io/posts/Harnessing-the-Power-of-Cobalt-Strike-Profiles-for-EDR-Evasion/
🐥 [ tweet ]
👍12
#для_самых_маленьких
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
Если обратиться к документации, то первым полем структуры
Для того же, чтобы эта реализация
Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
На собесах мне нравится задавать вопросы на понимание чужого кода, и одним из забавных примеров, где многие путаются при попытках быстро объяснить полученный диссонанс, мне видится распространенный из-за своей копипастности велосипед
kernel32!GetModuleHandle, взятый, например, отсюда.На первый взгляд, в нем нет ничего необычного за исключением одного нюанса: реализация поиска имени модуля по двусвязному списку в этой функции будет работать только при нестандартном определении структуры
LDR_DATA_TABLE_ENTRY.Если обратиться к документации, то первым полем структуры
LDR_DATA_TABLE_ENTRY будет значиться нечто PVOID Reserved1[2], что есть ни что иное, как двусвязный список LIST_ENTRY InLoadOrderLinks (изображение).Для того же, чтобы эта реализация
GetModuleHandle отработала, определение LDR_DATA_TABLE_ENTRY должно быть как здесь, а именно, начинаться со второго (из документации) поля LIST_ENTRY InMemoryOrderLinks.Почему так? 🤨
Кто хочет, может ответить на этот вопрос самостоятельно и переписать функцию
findNtDll, используя каноничное определение LDR_DATA_TABLE_ENTRY, или же открыть комментарии и ознакомиться с одним из возможных решений 👇🏻🤔6👍2🔥2
😈 [ Josh @passthehashbrwn ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog:
🔗 https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection/
Accompanying code:
🔗 https://github.com/xforcered/VectoredExceptionHandling
🐥 [ tweet ]
👍7🔥2
APT
🔐 FreeIPA Rosting (CVE-2024-3183) A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline…
Кайфанул с доклада, особенно с того, что импакетовский
В свое время я эту проблему решал так 👇🏻
Полный патч 👇🏻
getTGT.py, оказывается, можно починить одной строкой, разрешив ошибки декодирования ASN.1.В свое время я эту проблему решал так 👇🏻
Из коробки сценарий getTGT[.]py конечно же не работает, кто бы мог подумать (Рис. 1).
Почему-то FreeIPA думает, что номер операции (aka application tag) EncASRepPart это 26 (хотя в RFC он 25). Другие люди прикола тоже не оценили.
Если изменить спеку ASN.1, как того хочет ИПА, getTGT[.]py начинает работать (Рис. 2). Удобно, что Overpass-the-Key для этой темы тоже робит.
Полный патч 👇🏻
diff --git a/impacket/krb5/asn1.py b/impacket/krb5/asn1.py
index 24963824..393ac9bb 100644
--- a/impacket/krb5/asn1.py
+++ b/impacket/krb5/asn1.py
@@ -283,9 +283,9 @@ class EncKDCRepPart(univ.Sequence):
_sequence_optional_component('key-expiration', 3, KerberosTime()),
_sequence_component('flags', 4, TicketFlags()),
_sequence_component('authtime', 5, KerberosTime()),
- _sequence_optional_component('starttime', 6, KerberosTime()),
+ _sequence_optional_component('starttime', 6, KerberosTime()), # can be empty, so worth try-excepting
_sequence_component('endtime', 7, KerberosTime()),
- _sequence_optional_component('renew-till', 8, KerberosTime()),
+ _sequence_optional_component('renew-till', 8, KerberosTime()), # can be empty, so worth try-excepting
_sequence_component('srealm', 9, Realm()),
_sequence_component('sname', 10, PrincipalName()),
_sequence_optional_component('caddr', 11, HostAddresses()),
diff --git a/impacket/krb5/ccache.py b/impacket/krb5/ccache.py
index 915ea268..01c7f2f8 100644
--- a/impacket/krb5/ccache.py
+++ b/impacket/krb5/ccache.py
@@ -25,6 +25,7 @@ from six import b, PY2
from pyasn1.codec.der import decoder, encoder
from pyasn1.type.univ import noValue
+from pyasn1.error import PyAsn1Error
from binascii import hexlify
from impacket.structure import Structure
@@ -493,9 +494,12 @@ class CCache:
credential['time'] = Times()
credential['time']['authtime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['authtime']))
- credential['time']['starttime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['starttime']))
+ try:
+ credential['time']['starttime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['starttime']))
+ except PyAsn1Error:
+ pass
credential['time']['endtime'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['endtime']))
- credential['time']['renew_till'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['renew-till']))
+ #credential['time']['renew_till'] = self.toTimeStamp(types.KerberosTime.from_asn1(encASRepPart['renew-till']))
flags = self.reverseFlags(encASRepPart['flags'])
credential['tktflags'] = flags
diff --git a/impacket/krb5/constants.py b/impacket/krb5/constants.py
index 60f1776c..581b5007 100644
--- a/impacket/krb5/constants.py
+++ b/impacket/krb5/constants.py
@@ -42,7 +42,7 @@ class ApplicationTagNumbers(Enum):
KRB_SAFE = 20
KRB_PRIV = 21
KRB_CRED = 22
- EncASRepPart = 25
+ EncASRepPart = 26 # WTF ??? https://mailman.mit.edu/pipermail/kerberos/2006-July/010040.html
EncTGSRepPart = 26
EncApRepPart = 27
EncKrbPrivPart = 28
🔥17👍3🤯3
😈 [ Charlie Bromberg « Shutdown » @_nwodtuhs ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
👍15
😈 [ SandboxEscaper @big_polar_bear2 ]
It is shit, I feel like I failed. Waste of time. I only added the LLL portion in the last month, but it is such a complicated topic, I just didn't get it to work well enough. Hopefully the number theoretical portion in paper.pdf is useful.
🔗 https://github.com/Big-polar-bear/factorization
🐥 [ tweet ]
It is shit, I feel like I failed. Waste of time. I only added the LLL portion in the last month, but it is such a complicated topic, I just didn't get it to work well enough. Hopefully the number theoretical portion in paper.pdf is useful.
🔗 https://github.com/Big-polar-bear/factorization
🐥 [ tweet ]
что-то новое про факторизацию Ферма, используя алгоритм Ленстры-Ленстры-Ловаса (LLL)🔥8🤯2🤔1
😈 [ VIZIT @vizitcondoms ]
Мы, кстати, предоставляем защиту на случаи, если сажаете свои джеты куда ни попадя
🐥 [ tweet ]
Мы, кстати, предоставляем защиту на случаи, если сажаете свои джеты куда ни попадя
🐥 [ tweet ]
после 10й просьбы прокомментировать задержание отвечу всем разом цитатой из тви для сохранения аутентичности канала😁15🔥5👍3😢1🍌1
😈 [ Przemysław Kłys @PrzemyslawKlys ]
If you're into #ActiveDirectory, keep it clean from stale objects. CleanupMonster, my new #PowerShell module, can help you with that. I wrote a blog post about it to make it easier to implement.
It has fancy reporting and lots of customizations:
🔗 https://evotec.xyz/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster/
🐥 [ tweet ]
If you're into #ActiveDirectory, keep it clean from stale objects. CleanupMonster, my new #PowerShell module, can help you with that. I wrote a blog post about it to make it easier to implement.
It has fancy reporting and lots of customizations:
🔗 https://evotec.xyz/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster/
🐥 [ tweet ]
👍7
😈 [ Alisa Esage Шевченко @alisaesage ]
Best research of Windows IPv6 RCE bug that I've seen so far (by ynwarcs). Still plenty of room for exploit development.
🔗 https://github.com/ynwarcs/CVE-2024-38063
🐥 [ tweet ]
Best research of Windows IPv6 RCE bug that I've seen so far (by ynwarcs). Still plenty of room for exploit development.
🔗 https://github.com/ynwarcs/CVE-2024-38063
🐥 [ tweet ]
🔥14🥱2
😈 [ Austin Hudson @ilove2pwn_ ]
Hopefully, should be simpler in the very near future to build COM/MSRPC clients & servers ( with SEH __try/__except/__finally support ) on Unix with mingw-w64 & clang with GNU LD.
I'll be uploading an example sometime in the next few weeks depending on how busy I am.
🐥 [ tweet ]
Hopefully, should be simpler in the very near future to build COM/MSRPC clients & servers ( with SEH __try/__except/__finally support ) on Unix with mingw-w64 & clang with GNU LD.
I'll be uploading an example sometime in the next few weeks depending on how busy I am.
🐥 [ tweet ]
👍4
😈 [ Viking @Vikingfr ]
"SuperFetchQuery" can be useful for some scenarios like Red Team, Exploit Dev or Maldev. Let’s take a look!
🔗 https://v1k1ngfr.github.io/superfetchquery-superpower/
🐥 [ tweet ]
"SuperFetchQuery" can be useful for some scenarios like Red Team, Exploit Dev or Maldev. Let’s take a look!
🔗 https://v1k1ngfr.github.io/superfetchquery-superpower/
🐥 [ tweet ]
🔥6
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Want to reflectively load MSVC compiled rust binaries e.G. from Powershell, C# or similar?
You have two options from my current perspective:
1) Adjust your PE-Loader to do "something" (unknown yet) for proper execution
2) Remove default main as shown:
🔗 https://gist.github.com/S3cur3Th1sSh1t/bbde56e01d7440ee97b69f4eb179f4cb
🐥 [ tweet ][ quote ]
Want to reflectively load MSVC compiled rust binaries e.G. from Powershell, C# or similar?
You have two options from my current perspective:
1) Adjust your PE-Loader to do "something" (unknown yet) for proper execution
2) Remove default main as shown:
🔗 https://gist.github.com/S3cur3Th1sSh1t/bbde56e01d7440ee97b69f4eb179f4cb
🐥 [ tweet ][ quote ]
👍9🔥1
😈 [ CICADA8Research @CICADA8Research ]
Our new article about privilege escalation via vulnerable MSI files. All roads lead to NT AUTHORIRTY\SYSTEM :)
🔗 https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c
🔗 https://github.com/CICADA8-Research/MyMSIAnalyzer
🐥 [ tweet ]
Our new article about privilege escalation via vulnerable MSI files. All roads lead to NT AUTHORIRTY\SYSTEM :)
🔗 https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c
🔗 https://github.com/CICADA8-Research/MyMSIAnalyzer
🐥 [ tweet ]
👍13🔥7🤯2🥱1
😈 [ Jason Lang @curi0usJack ]
It's been a while since I've gotten to modify a GPO through a proxy as part of a red team. Fun and terrifying! If you're in that scenario now, this might help:
🔗 https://trustedsec.com/blog/weaponizing-group-policy-objects-access
🐥 [ tweet ]
It's been a while since I've gotten to modify a GPO through a proxy as part of a red team. Fun and terrifying! If you're in that scenario now, this might help:
🔗 https://trustedsec.com/blog/weaponizing-group-policy-objects-access
🐥 [ tweet ]
👍5🔥2🥱1
😈 [ Grzegorz Tworek @0gtweet ]
Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy!
🔗 https://github.com/gtworek/PSBits/blob/master/Misc2/Get-PidsForOpenFile.ps1
🐥 [ tweet ]
Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy!
🔗 https://github.com/gtworek/PSBits/blob/master/Misc2/Get-PidsForOpenFile.ps1
🐥 [ tweet ]
🔥15👍2
Offensive Xwitter
😈 [ Grzegorz Tworek @0gtweet ] Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell…
😈 [ Octoberfest7 @Octoberfest73 ]
Here is the full tool. Small and quick but still learned some things 🙂 Enjoy!
🔗 https://github.com/Octoberfest7/enumhandles_BOF
🐥 [ tweet ][ quote ]
Here is the full tool. Small and quick but still learned some things 🙂 Enjoy!
🔗 https://github.com/Octoberfest7/enumhandles_BOF
🐥 [ tweet ][ quote ]
👍5🤔1🥱1
😈 [ DSAS by INJECT @DevSecAS ]
🆕 Most cryptographers and packers use various methods to unpack and run a PE file from memory.
The most common techniques to this day are RunPE and LoadPE 👨💻
🔗 https://injectexp.dev/b/LoadLibraryReloaded
🔗 https://news.1rj.ru/str/INJECTCRYPT/156
🐥 [ tweet ]
🆕 Most cryptographers and packers use various methods to unpack and run a PE file from memory.
The most common techniques to this day are RunPE and LoadPE 👨💻
🔗 https://injectexp.dev/b/LoadLibraryReloaded
🔗 https://news.1rj.ru/str/INJECTCRYPT/156
🐥 [ tweet ]
🔥6👍3🍌1
😈 [ Alice Climent-Pommeret @AliceCliment ]
Hi there!
My latest article on the @harfanglab blog has just been published!
I'm talking about unpacking, XMRig, R77 and FIN7 (or not 🤓)
A special S/O to @splinter_code @JusticeRage and @securechicken
To check it out ⬇️
🔗 https://harfanglab.io/insidethelab/unpacking-packxor/
🐥 [ tweet ][ quote ]
Hi there!
My latest article on the @harfanglab blog has just been published!
I'm talking about unpacking, XMRig, R77 and FIN7 (or not 🤓)
A special S/O to @splinter_code @JusticeRage and @securechicken
To check it out ⬇️
🔗 https://harfanglab.io/insidethelab/unpacking-packxor/
🐥 [ tweet ][ quote ]
🔥3
😈 [ William Burgess @joehowwolf ]
New CS Blog - Revisiting the UDRL Part 3: If you like the idea of loading a custom c2 channel in your UDRL then this blog may be of interest 👀
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-3-beacon-user-data
🐥 [ tweet ]
New CS Blog - Revisiting the UDRL Part 3: If you like the idea of loading a custom c2 channel in your UDRL then this blog may be of interest 👀
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-3-beacon-user-data
🐥 [ tweet ]
👍3